stdin

Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/password-gorilla-1.6.0~git20180203.228bbbb/sources/twofish/tables.h
Examining data/password-gorilla-1.6.0~git20180203.228bbbb/sources/twofish/twofish2tcl.c

FINAL RESULTS:

data/password-gorilla-1.6.0~git20180203.228bbbb/sources/twofish/tables.h:1:21:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
#define u8 unsigned char
data/password-gorilla-1.6.0~git20180203.228bbbb/sources/twofish/twofish2tcl.c:442:7:  [2] (buffer) sprintf:
  Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
  vsnprintf. Risk is low because the source has a constant maximum length.
      sprintf((char *)hex+i*2,"%02X", (BYTE)buf[i]);
data/password-gorilla-1.6.0~git20180203.228bbbb/sources/twofish/twofish2tcl.c:474:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(k, k1, 16);
data/password-gorilla-1.6.0~git20180203.228bbbb/sources/twofish/twofish2tcl.c:475:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(k+16, k2, 16);
data/password-gorilla-1.6.0~git20180203.228bbbb/sources/twofish/twofish2tcl.c:481:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(nct, ct, 16);
data/password-gorilla-1.6.0~git20180203.228bbbb/sources/twofish/twofish2tcl.c:489:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(k2, k1, 16);
data/password-gorilla-1.6.0~git20180203.228bbbb/sources/twofish/twofish2tcl.c:490:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(k1, ct, 16);
data/password-gorilla-1.6.0~git20180203.228bbbb/sources/twofish/twofish2tcl.c:491:3:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
  memcpy(ct, nct, 16);
data/password-gorilla-1.6.0~git20180203.228bbbb/sources/twofish/twofish2tcl.c:599:11:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
          memcpy(mp->iv, Tcl_GetByteArrayFromObj(objv[5], &len), 16);
data/password-gorilla-1.6.0~git20180203.228bbbb/sources/twofish/twofish2tcl.c:665:11:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
          memcpy(mp->iv, buf+i, 16);
data/password-gorilla-1.6.0~git20180203.228bbbb/sources/twofish/twofish2tcl.c:720:9:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
        memcpy(tempiv, mp->iv, 16);
data/password-gorilla-1.6.0~git20180203.228bbbb/sources/twofish/twofish2tcl.c:721:9:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
        memcpy(tempiv+16, buf, len);
data/password-gorilla-1.6.0~git20180203.228bbbb/sources/twofish/twofish2tcl.c:728:9:  [2] (buffer) memcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Make sure destination can always hold the source data.
        memcpy(mp->iv, tempiv+i, 16);

ANALYSIS SUMMARY:

Hits = 13
Lines analyzed = 935 in approximately 0.06 seconds (16745 lines/second)
Physical Source Lines of Code (SLOC) = 630
Hits@level = [0]  11 [1]   0 [2]  13 [3]   0 [4]   0 [5]   0
Hits@level+ = [0+]  24 [1+]  13 [2+]  13 [3+]   0 [4+]   0 [5+]   0
Hits/KSLOC@level+ = [0+] 38.0952 [1+] 20.6349 [2+] 20.6349 [3+]   0 [4+]   0 [5+]   0
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.